Jump to content

Chocolatey / 7zip package detected as PUA after recent update Win32/DealPly.VO


Recommended Posts

Today I've noticed a lot of detections of PUAs, in relation to a 7zip package we deployed via Chocolatey, It is being detected as Win32/DealPly.VO. However as far as I'm aware this package does not actually contain adware.

Detection screenshot attached.

Not a big deal, I will do a remote scan and resolve the threat. However I wanted to highlight this here, as a potential false positive.

 

16 jul 7z choc dealply.jpg

Link to comment
Share on other sites

We are also seeing a lot of Win32/DealPly.VO detections all of a sudden for MSI's that are part of our managed application delivery system (Liquit Software) and seem to be false positives.

Link to comment
Share on other sites

Which specific version of 7zip is it? The versions from the official website does not seem to have this issue. 

Update: could you provide the hashes of the objects being detected?

Edited by Jamil-soc
Link to comment
Share on other sites

We are also seeing a lot of  Win32/DealPly.VO detections

These are some of the hashes: 

5801F56A22AC5452663AC199BF92429F4A050BFD

D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

 

Link to comment
Share on other sites

The hash that hits for us is D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

Link to comment
Share on other sites

  • Administrators

Are you still getting the detection? If so, please post the information about installed ESET modules.

Do you have LiveGrid enabled?

Link to comment
Share on other sites

I'm seeing the same on the 7-Zip installers.

7z1900.exe SHA1: 2F23A6389470DB5D0DD2095D64939657D8D3EA9D

7z1900-x64.exe SHA1: 9FA11A63B43F83980E0B48DC9BA2CB59D545A4E8

Module info:

Detection Engine: 23636 (20210716)
Rapid Response module: 18607 (20210716)
Update module: 1023 (20200701)
Antivirus and antispyware scanner module: 1576 (20210616)
Advanced heuristics module: 1207.1 (20210421)
Archive support module: 1320 (20210629)
Cleaner module: 1220.1 (20210702)
Anti-Stealth support module: 1174.1 (20210712)
Firewall module: 1424.1 (20210630)
ESET SysInspector module: 1281.1 (20210407)
Translation support module: 1867 (20210625)
HIPS support module: 1417.4 (20210624)
Internet protection module: 1425 (20210416)
Database module: 1113 (20210624)
Configuration module (39): 1958.3 (20210525)
LiveGrid communication module: 1111 (20210527)
Specialized cleaner module: 1014 (20200129)
Rootkit detection and cleaning module: 1031.1 (20210401)
Network protection module: 1689.1 (20210517)
Script scanner module: 1098 (20210601)
Connected Home Network module: 1042 (20210608)
Cryptographic protocol support module: 1061 (20210510)
Deep behavioral inspection support module: 1115 (20210618)
Advanced Machine Learning module: 1107 (20210601)

 

Edited by TheESETer
Link to comment
Share on other sites

ESET Endpoint Antivirus 8.0.2028.0  with LiveGrid enabled
ESET Enterprise Inspector Agent 1.6.1716
ESET Management Agent 8.1.1223.0

 

Module info:
Detection Engine: 23636 (20210716)
Rapid Response module: 18607 (20210716)
Update module: 1023 (20200701)
Antivirus and antispyware scanner module: 1576 (20210616)
Advanced heuristics module: 1207.1 (20210421)
Archive support module: 1320 (20210629)
Cleaner module: 1220.1 (20210702)
Anti-Stealth support module: 1174.1 (20210712)
Firewall module: 1424.1 (20210630)
ESET SysInspector module: 1281.1 (20210407)
Translation support module: 1867 (20210625)
HIPS support module: 1417.4 (20210624)
Internet protection module: 1425 (20210416)
Database module: 1113 (20210624)
Configuration module (39): 1958.3 (20210525)
LiveGrid communication module: 1111 (20210527)
Specialized cleaner module: 1014 (20200129)
Rootkit detection and cleaning module: 1031.1 (20210401)
Network protection module: 1689.1 (20210517)
Script scanner module: 1098 (20210601)
Connected Home Network module: 1042 (20210608)
Cryptographic protocol support module: 1061 (20210510)
Deep behavioral inspection support module: 1115 (20210618)
Advanced Machine Learning module: 1107 (20210601)
Telemetry module: 1063 (20210602)
Security Center integration module: 1031 (20210510)

Edited by Jeffry
Link to comment
Share on other sites

Was the Detection engine version 23635 (20210716) at the time of detection? you can check this under detection details in ESET Protect.

Link to comment
Share on other sites

Yes, detection engine was at 23635 (20210716) at the time of detection.

Link to comment
Share on other sites

Posted (edited)

Hi there

Detection engine at time of scan/detection: 23635 (20210716)

 

Hashes of objects 7zip related, detected as PUA: 

DD1CB1163C5572951C9CD27F5A8DD550B33C58A4

5801F56A22AC5452663AC199BF92429F4A050BFD

D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

The PUAs were originally detected during idle state scanning of some machines.

We are now using an update detection engine 23637. Unsure if the problem still persists. I marked the issues as resolved and have initiated a re-scan of the machines. I have not added any exception for these objects. 

 

 

Edited by qwerty
Link to comment
Share on other sites

  • Administrators

You can restore the files from quarantine. It was 7z.sfx which was detected incorrectly as as a PUA as a result of refactoring the DealPly PUA detection. The detection was actually temporarily disabled in 23636 buta it seems that pico updates have re-enabled it until 23637 was released.

Link to comment
Share on other sites

Thank you for the quick update and fix! There was quite a panic when a few thousand of our workstations and laptops reported this detection 🙂 Thank god it was a false positive.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...